Your SlideShare is downloading. ×
RFID Privacy Without Killing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

RFID Privacy Without Killing

2,361
views

Published on

Presentation by Ravi Pappu on RFID Privacy Without Killing (ravi.pappu@thingmagic.com)

Presentation by Ravi Pappu on RFID Privacy Without Killing (ravi.pappu@thingmagic.com)

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,361
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. RFID Privacy Without Killing Ravi Pappu Co-Founder ThingMagic Inc. Joint work with Ari Juels (RSA, CUSP) and Bryan Parno (CMU) 1 © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
  • 2. Key messages • Tiny Secret Sharing (TSS) enables consumer privacy now ‣ No heroic measures required ‣ No dependence on any particular standard fully standards compliant • Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain ‣ Privacy through dispersion and history erasure © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 2
  • 3. Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing • Encryption key length is a free-variable - security can be tailored. • TSS is protocol-independent, and completely local - no network required. • It scales to item-level tagging • The only resources needed are tag memory and some computing power at reader • TSS allows use of standard cryptographic mechanisms for encryption, hashing • TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present. • TSS solves key-management problem - enables privacy and write/lock PIN distribution. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 3
  • 4. Threat Contexts © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 4
  • 5. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 5
  • 6. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Razor blades 6571 730 144 5 DVDs 5040 2520 400 24 Pharma. 7200 1920 150 6 Source: EPCGlobal Item Level JRG © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 5
  • 7. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  • 8. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Tags start out in large collections which become smaller over time. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  • 9. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Tags start out in large collections which become smaller over time. Larger collections of tags are typically located in secure areas. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  • 10. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Tags start out in large collections which become smaller over time. Larger collections of tags are typically located in secure areas. Shared context from earlier times is not available at later times to adversary. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  • 11. Key question • Can we exploit the three observations to provide strong privacy in RFID-enabled supply chains? • Yes! In order to do so, we turn to a cryptographic method called secret sharing. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 7
  • 12. Secret Sharing © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  • 13. Secret Sharing Secret © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  • 14. Secret Sharing Shares Secret © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  • 15. Secret Sharing Shares Secret In practice, secrets are shared by evaluating polynomials over finite fields. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  • 16. (n, n) secret sharing Shares Secret All n shares required to recover secret No information revealed if fewer than n shares available Developed independently by shamir and Blakely in 1974. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 9
  • 17. (n, n) secret sharing Secret All n shares required to recover secret No information revealed if fewer than n shares available Developed independently by shamir and Blakely in 1974. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 9
  • 18. (k, n) secret sharing Shares Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 10
  • 19. (k, n) secret sharing Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 10
  • 20. (k, n) secret sharing Shares Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 11
  • 21. (k, n) secret sharing Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 11
  • 22. Our approach © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 12
  • 23. Our approach Pallet of n t1 t2 t3 t4 . . tn-3 tn-2 tn-1 tn © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 12
  • 24. Our approach Pallet of n Pallet of n t1 E(K, t1) s1 t2 E(K, t2) s2 t3 E(K, t3) s3 t4 E(K, t4) s4 . . . . tn-3 E(K, tn-3) sn-3 tn-2 E(K, tn-2) sn-2 tn-1 E(K, tn-1) sn-1 tn E(K, tn) sn Encrypt all tags using a pallet-specific secret key K. Append a share of the secret to each tag. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 12
  • 25. System level challenges Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  • 26. System level challenges s1 s2 s3 s4 K (k, n) sharing key length sn-3 sn-2 sn-1 sn Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  • 27. System level challenges s1 s2 s3 s4 K (k, n) sharing key length sn-3 sn-2 sn-1 sn Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  • 28. System level challenges s1 s2 s3 s4 K (k, n) sharing key length sn-3 sn-2 sn-1 sn E(K, tn) sn encryption method share size Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  • 29. Practical requirements • Share size has to be tiny, because tag memory is at a premium ‣ Krawczyk (1994) focused on short shares, but even these are 128 bits long. ‣ Current memory capacity on EPC Gen2 tags is 96 bits Tiny Secret Sharing • Sharing and recovery algorithms have to be computationally efficient. • System should be robust against ‣ changes in the order of tag reading i.e. permutation invariance ‣ sub-100% read rates ‣ stray reads (or counterfeits) © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 14
  • 30. Mercury5 read performance Improved read performance stray reads from adjacent dock door These are errors sub-100% reads These are erasures ■ Peanut Butter (70 Tag Pallet) ■ Cooking Oil (40 Tag Pallet) © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
  • 31. Reed-Solomon Codes • (n, k, d) codes over GF (2m ) • Total number of symbols = number of tags = n • Symbols required to recover message = threshold number of tags = k • Code can detect and correct upto s = (d/2) errors = stray tags or counterfeits • Code can detect and correct upto r = (d − 1) erasures = missed tags • With s stray tags and r missed tags, code can correct as long as 2s + r < d • This formulation is identical to (k, n) secret sharing • Encoding and decoding are efficient on low-powered machines © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 16
  • 32. Permutation invariance • RS codes originally invented to solve digital communication problems • Order of code symbols is usually preserved (s1 , s2 , s3 .....sn−2 , sn−1 , sn ) → (s1 , s2 , s3 .....sn−2 , sn−1 , sn ) • In RFID, code symbols are always permuted, because order of tag reading is based on randomization at the MAC layer. (s1 , s2 , s3 .....sn−2 , sn−1 , sn ) → (s6 , s1 , sn−4 .....sn , s7 , s3 ) • In order to use RS codes, we also need to make the symbol index available at destination. ({s6 , 6}, {s1 , 1}, {sn−4 , (n − 4)}.....{sn , n}, {s7 , 7}, {s3 , 3}) © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 17
  • 33. Permutation invariance 2 © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  • 34. Permutation invariance 2 E(K, t1) s1 1 E(K, t2) s2 2 . . E(K, tn-1) sn-1 n-1 E(K, tn) sn n © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  • 35. Permutation invariance 2 E(K, t1) E(K, t2) s1 s2 1 2 . . E(K, tn-1) sn-1 n-1 E(K, tn) sn n © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  • 36. Permutation invariance 2 E(K, t1) E(K, t2) s1 s2 1 2 . . E(K, tn-1) sn-1 E(K, t1) sH(E(K, t )) n-1 1 E(K, tn) sn n E(K, t2) sH(E(K, t )) 2 . Instead of adding separate index, use uniqueness of the . EPC to generate symbol index on the fly via hashing E(K, tn-1) sH(E(K, t )) n-1 E(K, tn) sH(E(K, t )) n © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  • 37. Field size • Field size GF (2m ) needs to be chosen to avoid index collisions. • If we have n tags, then 2m ≥ n2 or m ≥ log2 (n2 ) # of tags n # of bits in shares m E(K, t1) sH(E(K, t )) 1 50 12 E(K, t2) sH(E(K, t )) 2 256 16 1000 20 Need to avoid collisions 10000 27 © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 19
  • 38. (15, 20) TSS scheme over GF(216) !quot;#quot;$%quot;#!&'(#%)quot;$(* ,,-1231422512314225 ++*,!'),-..%!/&,$,# '--1231422512314225 &+,-,*%0(,quot;!&-,+.)! !--1231422512314225 '.'*-#%)quot;#0#,(-.'#! ,)-1231422512314225 %&//(,()#*0#$$%$0'. ,%-1231422512314225 )&*+,-'(./012 $%(+#.!0quot;,(/*+#/!#) ,#-1231422512314225 1(*+,-'(./012 %&'(&&quot; %.+quot;#,$,$$)0quot;--+*!. ,'-1231422512314225 $/0/,!$quot;-/&$*'.(quot;'& ,*-1231422512314225 #),+)000).'!'/$($+. ,--1231422512314225 +,0/%#,$0(#&quot;)#.'++ ,+-1231422512314225 .(.++0(quot;quot;'+-quot;,,!,(# *--1231422512314225 !quot;#$ © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 20
  • 39. RFID privacy without killing Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME 5D6DB3D6542E639DBE7 110deadbeefdeadbeef 887152910AA35F41B16 200deadbeefdeadbeef 4810173CE1D54018A95 500deadbeefdeadbeef 4810173CE1D54018A95 2A270639D6C61E0A265 190deadbeefdeadbeef BFCF15BD0F4B72AED24 ? 34FFE1E967C6BB3BC2A 130deadbeefdeadbeef 69189CCC9A252FBEB8A B3E86A5CD1EF786F569 160deadbeefdeadbeef 2A270639D6C61E0A265 3A8D61B1BB9CD00875A 120deadbeefdeadbeef AEA88CEDD280D1151E6 BFCF15BD0F4B72AED24 170deadbeefdeadbeef 5D6DB3D6542E639DBE7 69189CCC9A252FBEB8A 100deadbeefdeadbeef 81CF361BCE64D96A288 180deadbeefdeadbeef AEA88CEDD280D1151E6 700deadbeefdeadbeef © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 21
  • 40. Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing • Encryption key length is a free-variable - security can be tailored. • TSS is protocol-independent, and completely local - no network required. • It scales to item-level tagging • The only resources needed are tag memory and some computing power at reader • TSS allows use of standard cryptographic mechanisms for encryption, hashing • TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present. • TSS solves key-management problem - enables privacy and write/lock PIN distribution. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 22
  • 41. Key messages • Tiny Secret Sharing (TSS) enables consumer privacy now ‣ No heroic measures required ‣ No dependence on any particular standard fully standards compliant • Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain ‣ Privacy through dispersion and history erasure © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 23
  • 42. What’s next? • Real implementation on ThingMagic Mercury5 reader in progress • Discussion about implementation in real-world needs to happen ‣ Pharmaceutical supply chain appears to be ideal • Secret sharing across time or Sliding Window Information Secret Sharing (SWISS) also detailed in paper below • Preprint available at http://eprint.iacr.org/2008/044 • Questions: ravi.pappu@thingmagic.com © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 24